Firmware Documents
//Update: 07.08.14
Because I only own an E-M10 this is all about the new OM-D camera. But the procedure for hacking an Olympus firmware is the same for all 3 OM-D cameras.
Firmware documentation can be found here:
http://dl01.olympus-imaging.com/ww/ud2/ENU/0001/1130/index01a.html
|
Firmware Update Document Olympus OM-D E-M10 |
This shows the internal "id" code for the E-M10: 1130. Every Olympus camera has one. For example E-M1's id is 1090 and E-M5's 0970.
The system behind the link: http://dl01.olympus-imaging.com/ww/ud2/[language]/0001/[camera id]/index[firmware number]a.html
Where the firmware number is an integer: Ver. 1.0= 1; Ver 1.1= 2; etc.
Firmware Bin
I searched for older firmware hacks for the OM-D series and found some people who downloaded and decrypted one for the E-M5:
http://www.personal-view.com/talks/discussion/2789/olympus-hacks/p2
On this page is a link to the binary firmware file of the E-M5 which is being downloaded by the "Olympus Digital Camera Updater" to update the firmware of your Olympus camera.
So I wrote an app to search(with the new id of the E-M10) the Olympus website for similar pages to get the firmware for the E-M10.
The link I found for the newest Version 1.1:
http://dl01.olympus-imaging.com/OLYMPUS_MASTER/FIRMWARES/0001/1130/OLY_E_113_1104_0000_0000.BIN
Binary Decryption
So as described at "person-view.com" I extracted all the files with the "oly_fw_tools" and got 64 files (incl. resources). Now that is where the fun part takes place: Reverse engineering.
So far I only had time to look at the strings inside the language and main code files and can say: The camera does not support 25fps video. Or in other words: Olympus did not wrote any code for that yet.
Years ago there where some rumors that the E-M5 does support 60/120fps, but as confirmed by others that settings is only for the internal view finder, which indeed has support for up to 240fps.
So to get further: I decrypted the main_code.bin (binary file) of the firmware with the command:
"oly_fw_manip.exe --analyze --in OLY_E_113_1104_0000_0000.dissected\00.main-code-01.bin --out .\OLY_E_113_1104_0000_0000.analysis"
What you get is the file "00.main-code-01.addr_strings_all.txt" which contains a more readable version of all strings you would also find in the HEX file. Encrypted and progressed code is being ignored, resulting in a "fun to search through" file.
some findings: (there are many)
- The E-M10 supports Bluetooth, which i did not know before. Apparently there is equipment which uses Bluetooth, but can we use it also for our purposes? The strings show that a "OLYMPUS BlueSDK a4" is used to connect to the PENPEL.
- 0x00DF39C8:WIFI SHELL //can we execute commands over WiFi?
- 0x000D5CC4:USF debugging shell Version 1.10 //The debugging shell Olympus made?
- System running: uITRON
- Broadcom BCM%04x 802.11 Wireless Controller with Broadcom SDPCMD CDC driver
- MAC address belongs to FUJITSU LIMITED
After I looked up almost the whole document I have to admit, that it's not as useful as I thought. It is basically a giant debug value text. It contains all kinds of debug strings for different situations like USB-, WiFi and SD-Card-debugging. If we get a shell to work, the possibilities are almost endless. Nevertheless it's also useful to get some cgi comands. Those are the commands send by the Olympus Image Share" App.
Well let's go on with the hex file.
(it's a time consuming process and the whole analysis takes time, so be patient :) )
Flashing the new Firmware
Flashing a manipulated firmware is not much of a problem. There is a pyhon script available to emulate the Olympus server. With this, a new (hacked) firmware can be flashed just like a normal one, no matter what version is installed.
|
The Server running with a python script. It detects the firmware as a file for the E-M10 |
|
It is German, but you can see, that the new firmware is detected as Version 1.2 |
This is not a manipulated firmware yet. It's just to test the update process before I risk anything else.
Result: It works like a charm! We can flash any firmware - check.
Next Step: scsi commands
Next up are commands you send by a usb wire to the camera. Because we have literally tons of debug commands I try to establish a debug connection.
//Original Publish Date: 29.07.14
//Update 1: 01.08.14
//Update 2: 04.08.14
//Update 3: 05.08.14